Skip to content
Matthew Adams By Matthew Adams Co-Founder
Regulatory Compliance and Cloud Adoption

Today, we are talking about regulatory compliance and the Cloud.

The FCA closed its consultation on guidance for the adoption of Cloud services by financial institutions back in 2016.

The Introduction to Rx.NET 2nd Edition (2024) Book, by Ian Griffiths & Lee Campbell, is now available to download for FREE.

Although these guidelines are specifically targeted at FS, they are worth reviewing by any organization that handles personal information - which basically means almost anyone who does business in the Cloud.

The best hour you can spend to refine your own data strategy and leverage the latest capabilities on Azure to accelerate your road map.

At endjin, we've been working with our clients, who have all moved some or all of their business to the cloud, to provide feedback to the FCA as part of this consultation process.

In this post, I've pulled out a few of our key observations.

  1. The principles are no different between on-prem, managed provider and cloud datacentres You can produce an effective compliance plan in any of these scenarios, but there is no free lunch.
  2. Most real-world solutions are likely to be a combination of provision models An awareness of the risks at the boundaries is essential to a successful compliance plan.
  3. It is not possible to get a fully isolated service from Cloud providers Standard operating procedures mean that systems may be accessed by service personnel from out-of-region, for example, and you cannot have your own isolated backbone. However...
  4. Cloud providers can lower your risk profile Physical security, patching, redundancy, key management and disaster recovery scenarios are often more robust than internal data centres, for example.
  5. Standard Cloud provider contracts are not well-tuned for FS applications Vendors are aware of this issue, and Microsoft in particular are willing to negotiate terms on a case-by-case basis to help overcome specific problems until an overall framework is agreed.
  6. Uncertainty around future regulatory change is a barrier to adoption A lack of clarity around the direction of future regulation, or the application of existing regulation, creates a climate of uncertainty which tends to retard any change agenda.
  7. Requirements for a vendor-migration plan are restrictive The lack of standardization between IaaS, PaaS and SaaS services from different vendors makes a vendor-migration plan seem challenging. This requirement needs to be addressed as a core part of the solution architecture.

These seven points are the tip of the iceberg when it comes to implementing regulatory guidelines. If you are interested in discussing any of these issues, then get in touch - we'd love to hear your perspective. It is notable that there are relatively few detailed FS cloud case studies, and we aim to do something about that with great clients like Milliman and Hymans Robertson.

Matthew Adams


Matthew Adams

Matthew was CTO of a venture-backed technology start-up in the UK & US for 10 years, and is now the co-founder of endjin, which provides technology strategy, experience and development services to its customers who are seeking to take advantage of Microsoft Azure and the Cloud.